[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: ".svn" directory name no good (in fact, it is worse than I thought)

From: Shawn <discostu26_at_shaw.ca>
Date: 2003-09-25 09:53:12 CEST

That was the original code in NT4 ... but when they put Unicode in win
2000 they forgot about the 15 other ways you can get a "." including the
URL encoded versions ... %36 (or whatever the character code is) and
boom you have nice security hole that Code Red (and its 100 variants)
exploited :)

-----Original Message-----
From: Steve Williams [mailto:stevewilliams@kromestudios.com]
Sent: September 25, 2003 12:31 AM
To: dev@subversion.tigris.org
Subject: Re: ".svn" directory name no good (in fact, it is worse than I
thought)

hehehe...

  if (strchr(pUrl, '.'))
    return 404;

Can I get paid lots of money now?

Sly

> Just to shed a little more light on the issue. M$ in their "security"
> push has "fixed" IIS so that it cannot accept directory names with "."
> in them. Just try it. Create a folder in your wwwroot called
"test.test"
> (put a file in there) and try and get to it. You'll get a page not
found
> error. They got burned bad by all the "..\..\winnt\system32\cmd.exe"
> type hacks. VS.NET uses http to grab the files for web projects so
that
> remote and local web projects all work in the same way. What I'm
saying
> here is that M$ spent a lot of time and $$$ explicitly not allowing
> folders with "." in them so expecting them to do anything about it is
> completely out of the question.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Sep 25 09:55:05 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.